Does Microsoft’s HealthVault really protect your privacy?

When Microsoft launched its much-ballyhooed HealthVault medical-records system for individuals (see my review here), it made such a fetish of security protections that it virtually rendered the service unusable. My own effort just to establish a HealthVault account took roughly two hours, much of that devoted to simply coming up with a password the system would accept; I documented the struggle here. One of the company’s PR reps even emailed me to note that Microsoft is taking “extra precautions at every layer of security” because “privacy and security is one of the areas that Microsoft is taking very seriously for HealthVault.”

As I wrote at the time, it’s hard to fault Microsoft for being paranoid about security, given how privacy concerns are going to be a major hurdle to widespread adoption of online health records. But is the Redmond giant really serious about protecting patient privacy?

Maybe not. Earlier this week, Annie Antón, a software professor at North Carolina State University, raised three important questions about Microsoft’s dedication to patient privacy based on a close reading of the HealthVault privacy statements (here and here). Antón’s post at the Privacy Place blog is worth reading in its entirety, but I can’t help summarizing it as well.

The big surprise (to me, at least) is that services like HealthVault aren’t covered by HIPAA, a mammoth federal law that, among other things, sets some strict standards for the privacy of medical data. Privately-managed record repositories like HealthVault apparently weren’t even envisioned when Congress passed HIPAA in 1996, and so they’re exempt from its provisions (which, to be fair, many people consider onerous).

All that makes it even more important to look at what Microsoft actually promises, and what Antón turned up is disquieting. For instance, Microsoft reserves the right to store your medical data offshore, in countries that may not have the same privacy protections as the U.S.

The software giant also plans to merge other personal information it holds about you with information stored in HealthVault. (That certainly puts the intrusive questions Microsoft’s Live.com service posed to me during registration in a new light.) Finally, HealthVault appears to open the door to a potentially unlimited line of people, entities or programs that can obtain permission to read and alter your health information, since it’s possible to delegate the ability to grant those permissions to others.

Antón also questions whether Microsoft’s decisions in these cases leave users with any legal recourse if their data does leak. It’s a great question, and one I’m in no position to answer at the moment, although I’d certainly want to take a hard look at extending HIPAA privacy provisions to these sorts of electronic records. This analysis certainly underscores the wisdom of approaching services like HealthVault very, very cautiously, because once your medical privacy has been breached, there’s virtually no way of getting it back.